ATTENTION: This page is intended to be viewed online and may not be printed or copied.
11. Continual Improvement
The organization shall continually improve the effectiveness of the ORMS through the use of the ORMS policy, objectives, audit results, analysis of monitored events, corrective and preventive actions, and management review.
11.2 Nonconformities, Corrective and Preventive Action
The organization shall establish, implement, and maintain procedures for dealing with nonconformities and for taking corrective and preventive action. The procedures shall define requirements for:
Identifying and correcting nonconformities and taking actions to mitigate their consequences;
Evaluating the need for actions to prevent nonconformities and implementing appropriate actions designed to avoid their occurrence;
Investigating nonconformities, determining their root causes, and taking actions in order to avoid their recurrence;
Recording the results of corrective and preventive actions taken;
Assess how corrective and preventive actions modify risk; and
Reviewing the effectiveness of corrective and preventive actions taken.
The organization shall ensure that proposed changes are made to the ORMS documentation.
11.3 Change Management
The organization shall establish a defined and documented change management program to ensure that any internal or external changes that impact the organization are reviewed in relation to the ORMS. It shall identify any new critical activities that need to be included in the ORMS change management program.
11.4 Opportunities for Improvement
The organization shall monitor, evaluate, and exploit opportunities for improvement in ORMS performance and eliminate the causes of potential problems, including:
Ongoing monitoring of the operational and risk landscape to identify potential problems and opportunities for improvement;
Determining and implementing action needed to improve risk management and security and resilience performance; and
Reviewing the effectiveness of the action taken to improve performance.
Actions taken shall be appropriate to the impact of the potential problems, and the organization’s obligations and resource realities.
Top management, in collaboration with key risk stakeholders, shall ensure that actions are taken without undue delay to exploit opportunities for improvement. Where existing arrangements are revised and new arrangements introduced that could impact on the management of risk, operations and activities, the organization shall consider the associated risks before their implementation.
The results of the reviews and actions taken shall be clearly documented and records shall be maintained. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.